When one million of your customers have their IP addresses added to a spam blacklist, there is clearly something wrong with your security systems. Just ask Telewest, this is exactly what it experienced in May after 17,000 of its users saw their computers turn into spam bots.
Whose fault was this? The users, for failing to update their security software; the ISP for failing to take responsibility for PCs connected to its network; the spammers and virus writers, for exploiting insecure PCs; or Microsoft (and all these PCs will be running Microsoft software), for producing insecure software in the first place? Obviously, all of them.

But while culpability is widespread, the ability to improve the situation is not. Expecting users to install a secure operating system is as unrealistic as expecting Microsoft to produce one, or expecting virus writers and spammers to realise the errors of their ways and take up employment in a soup kitchen.